Saltstack Official FirewallD Formula
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

yaml_dump_spec.rb 4.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
  1. # frozen_string_literal: true
  2. control 'firewalld `map.jinja` YAML dump' do
  3. title 'should contain the lines'
  4. yaml_dump = "---\n"
  5. yaml_dump += <<~YAML_DUMP.chomp
  6. AutomaticHelpers: system
  7. FirewallBackend: nftables
  8. FlushAllOnReload: 'yes'
  9. IndividualCalls: 'no'
  10. LogDenied: 'off'
  11. RFC3964_IPv4: 'yes'
  12. arch: amd64
  13. backend:
  14. manage: true
  15. pkg: nftables
  16. config: /etc/firewalld.conf
  17. default_zone: public
  18. direct:
  19. chain:
  20. MYCHAIN:
  21. ipv: ipv4
  22. table: raw
  23. rule:
  24. INTERNETACCESS:
  25. ipv: ipv4
  26. table: filter
  27. chain: FORWARD
  28. priority: '0'
  29. args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
  30. -j ACCEPT
  31. passthrough:
  32. MYPASSTHROUGH:
  33. ipv: ipv4
  34. args: -t raw -A MYCHAIN -j DROP
  35. enabled: true
  36. ipset:
  37. manage: true
  38. pkg: ipset
  39. ipsets:
  40. fail2ban-ssh:
  41. short: fail2ban-ssh
  42. description: fail2ban-ssh ipset
  43. type: hash:ip
  44. options:
  45. maxelem:
  46. - 65536
  47. timeout:
  48. - 300
  49. hashsize:
  50. - 1024
  51. entries:
  52. - 10.0.0.1
  53. fail2ban-ssh-ipv6:
  54. short: fail2ban-ssh-ipv6
  55. description: fail2ban-ssh-ipv6 ipset
  56. type: hash:ip
  57. options:
  58. family:
  59. - inet6
  60. maxelem:
  61. - 65536
  62. timeout:
  63. - 300
  64. hashsize:
  65. - 1024
  66. entries:
  67. - 2a01::1
  68. package: firewalld
  69. service: firewalld
  70. services:
  71. sshcustom:
  72. short: sshcustom
  73. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  74. into and executing commands on remote machines. It provides secure encrypted
  75. communications. If you plan on accessing your machine remotely via SSH over
  76. a firewalled interface, enable this option. You need the openssh-server package
  77. installed for this option to be useful.
  78. ports:
  79. tcp:
  80. - 3232
  81. - 5252
  82. modules:
  83. - some_module_to_load
  84. protocols:
  85. - igmp
  86. source_ports:
  87. tcp:
  88. - 21
  89. destinations:
  90. ipv4:
  91. - 224.0.0.251
  92. - 224.0.0.252
  93. ipv6:
  94. - ff02::fb
  95. - ff02::fc
  96. zabbixcustom:
  97. short: Zabbixcustom
  98. description: zabbix custom rule
  99. ports:
  100. tcp:
  101. - '10051'
  102. salt-minion:
  103. short: salt-minion
  104. description: salt-minion
  105. ports:
  106. tcp:
  107. - '8000'
  108. zones:
  109. public:
  110. short: Public
  111. description: For use in public areas. You do not trust the other computers on
  112. networks to not harm your computer. Only selected incoming connections are accepted.
  113. services:
  114. - http
  115. - https
  116. - ssh
  117. - salt-minion
  118. other_services:
  119. - zabbixcustom
  120. protocols:
  121. - igmp
  122. rich_rules:
  123. - family: ipv4
  124. source:
  125. address: 8.8.8.8/24
  126. accept: true
  127. - family: ipv4
  128. ipset:
  129. name: fail2ban-ssh
  130. reject:
  131. type: icmp-port-unreachable
  132. ports:
  133. - comment: zabbix-agent
  134. port: 10050
  135. protocol: tcp
  136. - comment: bacula-client
  137. port: 9102
  138. protocol: tcp
  139. - comment: vsftpd
  140. port: 21
  141. protocol: tcp
  142. source_ports:
  143. - comment: something
  144. port: 2222
  145. protocol: tcp
  146. - comment: something_else
  147. port: 4444
  148. protocol: tcp
  149. rich_public:
  150. short: rich_public
  151. description: Example
  152. rich_rules:
  153. ssh-csg:
  154. accept: true
  155. ipsets:
  156. - fail2ban-ssh
  157. - other-ipset
  158. services:
  159. - ssh
  160. YAML_DUMP
  161. describe file('/tmp/salt_yaml_dump.yaml') do
  162. its('content') { should include yaml_dump }
  163. end
  164. end